CVE-2022-35941 in TensorFlow
Summary
by MITRE • 09/17/2022
TensorFlow is an open source platform for machine learning. The `AvgPoolOp` function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failure and crash the program. We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds to this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/19/2022
The vulnerability described in CVE-2022-35941 affects TensorFlow, a widely-used open source machine learning platform that serves as the foundation for numerous artificial intelligence applications across industries. This issue resides within the AvgPoolOp function, which implements average pooling operations commonly used in convolutional neural networks for feature extraction and dimensionality reduction. The affected component represents a core building block in deep learning model architectures, making this vulnerability particularly concerning for organizations relying on TensorFlow-based systems for critical AI workloads.
The technical flaw manifests in the lack of input validation for the ksize parameter within the AvgPoolOp function. According to CWE-20, this constitutes a classic input validation vulnerability where the system fails to properly validate user-provided parameters before processing them. The function accepts a ksize argument that should logically contain positive values representing the size of the pooling window, yet no validation mechanism exists to verify this constraint. When a negative ksize value is passed, it triggers a CHECK failure that results in an immediate program crash rather than graceful error handling or rejection of invalid input. This unchecked parameter can be exploited through malicious inputs or malformed model specifications, potentially leading to denial of service conditions that disrupt machine learning workflows and training processes.
The operational impact of this vulnerability extends beyond simple program termination, as it represents a potential vector for denial of service attacks against TensorFlow-based systems. Attackers could potentially disrupt machine learning services by submitting negative ksize values to trigger crashes in production environments, particularly in applications where user inputs or external data sources feed into model configurations. The vulnerability affects multiple TensorFlow versions including 2.7.2, 2.8.1, 2.9.1, and the unreleased 2.10.0, indicating this represents a widespread issue across the supported release lifecycle. Given that TensorFlow is extensively used in enterprise AI deployments, cloud platforms, and research environments, the potential for cascading failures in machine learning pipelines is significant, especially when considering that many organizations may not have robust input sanitization in their custom implementations.
The fix implemented by the TensorFlow team addresses this vulnerability through proper input validation in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f, which ensures that the ksize parameter is validated before processing. This approach aligns with ATT&CK technique T1499.004 for avoiding detection through proper error handling and input validation. Organizations should immediately apply the patch to all affected versions, particularly since the fix has been cherry-picked for the supported maintenance releases, demonstrating the severity of the issue. The lack of known workarounds means that defensive measures must rely entirely on patch management and version updates, emphasizing the importance of maintaining current software versions in AI infrastructure deployments. Security teams should monitor for potential exploitation attempts targeting this specific vulnerability, particularly in environments where TensorFlow is exposed to untrusted inputs or where model configurations might be dynamically generated from external sources.